Legal Documents:
- Legal Hub
- Terms of Service
- Privacy & Cookie Policy
- Sub-Processors
- Cookie & Tracking Policy
Cookie & Tracking Policy
This Cookie & Tracking Policy explains what tracking technologies Bread & Butter uses, what data is stored on a visitor’s device, why it is stored, and how it can be managed or removed. This Policy applies both to breadbutter.io (our own website) and to websites belonging to our Customers that have installed the Bread & Butter Platform.
Unlike most analytics and marketing tools, Bread & Butter does not set third-party HTTP cookies and does not rely on any third-party cookie infrastructure. Visitor journey data is persisted using the browser’s Local Storage API — a fundamentally different mechanism from cookies. This distinction matters for privacy, compliance, and data accuracy. See Section 2 below for details.
1. Cookies Set by Bread & Butter
1.1 First-Party Session Cookie (WordPress Plugin Only)
When the Bread & Butter WordPress Plugin is active, a single first-party session cookie may be set on the Customer’s domain to maintain the visitor’s authenticated session state within the WordPress environment. This cookie:
- Is scoped to the Customer’s own domain (e.g.,
yourwebsite.com), not to breadbutter.io - Is a standard WordPress session cookie and is not unique to Bread & Butter
- Does not track the visitor across other websites
- Expires when the browser session ends or as configured in WordPress settings
1.2 No Third-Party Cookies
Bread & Butter does not set or read any third-party cookies — cookies originating from a domain other than the website the visitor is currently on. We do not participate in cross-site tracking networks, retargeting pixel networks, or third-party identity graphs.
1.3 Third-Party Cookies Set by Identity Providers
When a visitor authenticates using a social login option (Google, Microsoft, LinkedIn, Apple, etc.) on a Customer’s Bread & Butter conversion widget, the identity provider (not Bread & Butter) may set their own cookies on their domain as part of the OAuth authentication flow. These cookies are governed by the respective provider’s privacy policy and are outside Bread & Butter’s control.
2. Browser Local Storage
2.1 What Is Local Storage?
Local Storage is a browser-based API that allows web applications to store key-value data on the visitor’s device. Unlike HTTP cookies, Local Storage data:
- Is not automatically sent to the server with every HTTP request
- Is not accessible by third-party domains (it is scoped to the originating domain under the browser’s same-origin policy)
- Is not subject to the same expiry rules as cookies — it persists until explicitly cleared by the browser or the user
- Is immune to many cookie-blocking mechanisms, including Apple’s Intelligent Tracking Prevention (ITP) — which is one reason our WordPress Plugin is significantly more accurate than browser-side tracking tools
2.2 What Bread & Butter Stores in Local Storage
| Key / Identifier | Purpose | Data Stored | Duration |
|---|---|---|---|
| bb_visitor_id | Anonymous visitor session identifier — links page views across a single visit and across return visits on the same device/browser | Randomly generated pseudonymous identifier (no name, email, or directly identifying data) | Persistent (until cleared) |
| bb_journey | Stores a hashed summary of the visitor’s page journey for AI scoring continuity | Hashed page path references and session metadata (not full URLs or form content) | Persistent (until cleared) |
| bb_consent | Records the visitor’s consent decision when the Bread & Butter cookie consent tool is active on the Customer’s website | Consent status (accepted / declined), timestamp, and consent tool version | Persistent (until cleared) |
| bb_utm | Preserves UTM campaign attribution parameters from the visitor’s initial landing URL for attribution reporting | UTM source, medium, campaign, term, and content values from the URL query string | Session or until next UTM-tagged visit |
| bb_identity | Stores the visitor’s confirmed identity once they have actively identified themselves (form submission or social login) | Name and email address (only populated after visitor actively provides identity) | Persistent (until cleared) |
The bb_identity key is never populated without an active, voluntary action by the visitor — such as submitting a contact form, booking a demo, or authenticating via social login. Anonymous browsing behaviour is recorded under a pseudonymous identifier only. Bread & Butter does not attempt to de-anonymise visitors who have not actively identified themselves.
2.3 How to Clear Local Storage
Visitors can clear Bread & Butter Local Storage data at any time through their browser settings:
- Chrome / Edge: Settings → Privacy and security → Clear browsing data → “Cached images and files” and “Site data”
- Safari: Settings → Privacy → Manage Website Data → remove the relevant domain
- Firefox: Settings → Privacy & Security → Cookies and Site Data → Clear Data
Clearing Local Storage will reset the visitor’s session identifier. If the visitor subsequently returns, a new anonymous identifier will be generated and they will not be linked to their previous visit history.
3. Server-Side Tracking (WordPress Plugin)
When the Bread & Butter WordPress Plugin is installed, visitor page requests are intercepted at the web server level before the page is rendered in the browser. This means:
- The visitor’s IP address, request headers, and page URL are processed server-side
- No JavaScript execution in the visitor’s browser is required to capture the page view event
- The tracking is invisible to browser-side ad-blockers and privacy extensions
- Apple ITP, Safari privacy protections, and similar browser restrictions do not apply
The IP address captured server-side is used solely to: (a) derive approximate geographic location via MaxMind GeoIP2; and (b) generate a pseudonymous device-level identifier for journey continuity. Raw IP addresses are not stored indefinitely and are not disclosed to Customers in their raw form.
4. The Bread & Butter Cookie Consent Tool
Bread & Butter provides an optional, built-in cookie consent and notice tool available to all Customers (free and paid) for use on their websites. When a Customer enables this tool:
- A consent banner is displayed to website visitors on first visit
- The visitor’s accept or decline response is recorded in the
bb_consentLocal Storage key - A consent event is logged in the Bread & Butter Platform, capturing: consent status, UTC timestamp, approximate location (IP-derived), and device/browser information
- Consent records are owned by the Customer and treated as Customer Data under Section 8 of the EULA
The consent tool provides a minimum-viable consent capture mechanism. It may not satisfy all requirements of the GDPR ePrivacy Directive, CCPA/CPRA, or other jurisdiction-specific regulations. Customers are responsible for their own compliance and should seek legal advice regarding the adequacy of the tool for their specific use case. See Section 9.9 of the EULA for full details.
5. Analytics on breadbutter.io
On our own marketing website (breadbutter.io), we may use standard web analytics tools to understand how visitors interact with our content. Any analytics tools used on our own website that set cookies will be disclosed here when configured. We honour browser “Do Not Track” signals where technically feasible.
6. Your Choices
- Browser settings: You can configure your browser to block cookies and/or Local Storage. Note that blocking Local Storage on a Customer’s website may affect the accuracy of analytics and personalisation features but will not prevent server-side tracking (if the WordPress Plugin is in use).
- Opt-out of identity resolution: If you have previously submitted your identity to a Customer’s website and wish to have your data removed from that Customer’s Bread & Butter account, contact the Customer directly. The Customer, as data controller, is responsible for handling your request.
- Contact us: For questions about Bread & Butter’s own tracking practices, email support@breadbutter.io.
7. Changes to This Policy
We may update this Cookie & Tracking Policy to reflect changes in our tracking practices or applicable law. Material changes will be communicated by updating the “Effective Date” and, where appropriate, by email notice to Customer administrators.
